During the third week of National Supply Chain Integrity Month, CISA is emphasizing the importance of understanding supply chain threats. As technology evolves, so does the threat environment. Of particular importance is securing information and communications technology (ICT) supply chains. With ICT serving as the bedrock for the nation’s critical infrastructure, their supply chains are valuable targets for adversaries seeking to steal, compromise, alter, or destroy sensitive information being stored in and communicated through ICT.
Recent software compromises and other security incidents have revealed how new and inherent vulnerabilities in global supply chains can have cascading impacts that affect all users of ICT within and across organizations, sectors, and the National Critical Functions. To help organizations understand these threats and how to mitigate them, CISA’s ICT Supply Chain Risk Management (SCRM) Task Force developed the Threat Scenarios Report that provides acquisition and procurement personnel and others with practical, example-based guidance on supplier SCRM threat analysis and evaluation.
Using feedback from end users and stakeholders, the Task Force catalogued the universe of supply chain threats to develop a lexicon compartmentalized into nine categories (i.e., counterfeit parts, economic risks, external end-to-end supply chain risks, etc.). Additionally, they developed sample scenarios with mitigation controls intended to help an organization strengthen its security posture.
To learn more about how CISA enhances supply chain resiliency and to view online resources, visit www.cisa.gov/supply-chain-integrity-month.
ICT SCRM TASK FORCE: THREAT SCENARIOS REPORT
The ICT SCRM Task Force Working Group on Threat Evaluation (WG2) was created with the purpose of identifying processes and criteria for threat-based evaluation of ICT suppliers, products, and services.
In February 2020, WG2 released an initial report on Threat Scenarios focused specifically on “suppliers”. WG2 leveraged the NIST Risk Management Practices described in NIST SP 800-161 to help guide the analysis of the supply chain risk management threats and threat sources. After evaluating close to 200 supply chain threats, these threats were compartmentalized into nine supplier threat categories to aid in the evaluation process and guide the development of scenarios intended to provide insights into the processes and criteria for conducting supplier threat assessment. These categories guided WG2 in the development of scenarios for each category that specified the threat, source(s) or actor(s), outcome, mitigating strategies, and more information.
The latest report, Version 2 released February 2021, adds the assessment of “impacts” and “mitigating” controls to the supplier threat scenarios originally provided. Version 2 also includes threat mitigating strategies and SCRM controls that may reduce the impact of these threats. The objective is to provide a practical, example-based guidance on supplier SCRM threat analysis and evaluation that can be applied during procurement or source selection by government and industry to assess supply chain risks and develop practices/procedures to manage the potential impact of these threats.
These reports are provided “as is” for informational purposes only and serve as a baseline evaluation of risks to ICT suppliers.
ICT SCRM Task Force Threat Scenarios Report, Version 1
ICT SCRM Task Force Threat Scenarios Report, Version 2